See Brian’s most recent previous post by clicking here.
See all of Brian’s previous posts by clicking here.
Follow Brian on Twitter by clicking here.
Your password will probably be hacked soon, and how to (actually) solve the problem
Smithsonian Magazine recently reported: “Your Password Will Probably Be Hacked Soon” and delivered a troubling quote from Ars Technica:
The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
After the Twitter accounts for Burger King as well as Chrysler’s Jeep were recently broken into, Twitter apparently issued some advice to the effect that people should be smarter about their password security practices. So: use lots of letters and numbers, passwords should be 10-digits or longer, use a different password for every one of your online accounts and so on.
But this is nuts. Does Twitter know anything about how human beings actually work? Why do you think people reuse their passwords for multiple sites? Why do you think people select easy-to-remember (and easy-to-discover) factoids from their childhoods as answers to security questions?
Because we’re not good at remembering things, that’s why. And we’ve got so much going on that it’s very difficult to be bothered about setting up a complex password protection-and-management scheme. Meanwhile, the incentive to be “plugged in” to multiple online networks is huge (and growing), and so we carry on our merry way. As the Smithsonian article concluded:
Chances are, even knowing that passwords are easy to crack, most of us will keep our silly p@$$w0rd tricks that don’t actually protect us.
Yes, that’s right. Human beings are limited, fallible creatures. We are prone to a huge array of decision-making biases, and we don’t fathom risk very well. Thanks to the recent efforts of psychologists and behavioral economists, this insight is now widely recognized and it most profoundly ought to influence how we design our institutions and social practices, online and off. It’s the idea behind “nudging” or reshaping the choice matrix people encounter to encourage better decisions without cramping autonomy or freedom of choice. And it’s the idea behind good product design – the “It Just Works” philosophy of companies like Apple.
If Twitter cares about the account security of its millions of users, it should invest in real solutions to the password-hacking problem: solutions that take into account the rangebound psychological architecture of actual, real-life humans. Asking people to memorize multiple sets of long strings of random number-and-digit combinations in order to safeguard their online portals and personal information is a losing strategy. What might be a smarter approach?
What about something like finger-print identification for access to online accounts? Nearly every screen being manufactured these days is a touch-screen, and if someone can get the technology right, and convince me it’s safer and more fool-proof than my own pathetic memorization skills, I’d very happily press my phalanges onto my phone or computer screen to gain privileged, less-hackable access to Twitter, Facebook, and wherever else. Nothing to remember. Same gesture for every account. No one else can do it.
Apparently, some HP Notebooks come equipped with a version of this technology. But why isn’t it on my Mac? Why am I not doing this at the bank to get money from the ATM? Why can’t I pay for groceries at the store with the press of a pinkie?
I’m sure that the futurist tech nerds on this blog (and among its readership) will point out some holes in my idea here — and perhaps the specific notion of finger-print access isn’t the way to go — but the core point, I think, is sound: password protection is huge a deal, and people are not inherently good at it. Asking them to remember lots of sets of alphanumeric character strings is probably not going to work in the long run. Some will pull it off. Most will not. More creative thinking is needed for a workable solution.
What are your ideas?
________________________________________
See Brian’s most recent previous post by clicking here.
See all of Brian’s previous posts by clicking here.
Follow Brian on Twitter by clicking here.
Have you ever seen this before?
http://xkcd.com/936/
You might find this interesting: http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/
Great blog post! Totally agree that strong passwords aren’t optimized for human brains.
I like the fingerprint idea a lot. One issue with various biometric systems is accessible design — what’s the alternative for people without hands/fingerprints, eyes, etc.? Something to consider.
In the meantime, I have a suggestion for a password system that I’ve found pretty effective and aligned with the way my brain works. The first chunk of characters in the password are a set that you can easily remember, and the last three (or however many) digits are unique to whatever thing you’re signing up for. For example, I loved the book Oryx and Crake growing up. Neither is a common word to begin with, since they’re animal species’ names, and on top of that, I can do the standard number/symbol substitution. I could reasonably memorize 0ry#ncr@k3 as the base chunk. That puts me at 10 characters that are unrecognizable to anyone else yet meaningful — and memorable — to me.
Then let’s say I’m signing up for Facebook. The rule could be that I take the first three letters, “fac” and move one key to the right on the keyboard: “gsv”. My Facebook password would then be 0ry#ncr@k3gsv. For gmail, it would be 0ry#ncr@k3h.s. Now I’m at 13 characters — even better.
If I know I use the same system for every single signup, I can just use my rule to recreate the unique portion of the password whenever I forget a password. This system has served me well so far. (Of course, I’ve modified every aspect of my *actual* system, but this is the general structure.)
I’m sure people out there have better and more sophisticated systems for creating unique passwords, but thought I’d share mine to get the ball rolling.
Multi-factor authentication. It catches all of the small-time phishing and trojans (which comprise 99% of the hacking schemes out there for low profile users). It’s not infallible, but it’s a big step up from the “high quality password” defense.
You can remember things from your childhood, you can remember your first kiss and you can remember the names of your teachers in first grade. Yet you cannot remember the passphrase “This is my secret passphrase.”
The problem with most password recommendations is that they do not take into account the psychological issues you mention, they are based on mathematical/cryptographical “randomness” – or just plain stupidity.
Another problem is the need for frequent changes, because almost nobody can give a good answer to WHY do you have to change your password frequently.
The majority of password leaks are not happening due to bad passwords – but to service providers inability to PROTECT your password properly. Using stronger mechanisms to protect & store passwords, password policies doesn’t have to include the use of sign language and squirrel noises. (http://dilbert.com/strips/comic/2005-09-10/)
Biometric solutions are still costly to implement and operate, and have many other types of flaws associated with them. As long as passwords are cheaper to implement, they won’t go away or be fully replaced.
Solutions to all this includes 2-factor authentication that usually includes an initial setup, and then a one-time authorization of each new device you want to use (like Facebook offers already). Better password transmission & storage obviously, but that’s not your fault. Blame the service providers!
Best regards,
Per Thorsheim
Founder/organizer of the “Passwords” conferences – ONLY about passwords.
Media archive from 2012: http://passwords12.at.ifi.uio.no/
Lastpass + Two-factor authentication => secure & simple
biometrics such as fingerprints are not a valid network credential. Biometrics can be copied, as easily as passwords, but they cannot be replaced. So upon a breach, your identity is forever screwed.
Biometrics in conjunction with other protections, may be used for local security (only).
A token device, or a public key system, may be a way forward though.
The best system I have found so far is to make up my own function from [website name] to [letters and numbers]. I use the same algorithm over and over again, but the passwords are dissimilar.
Obviously, not sharing my algorithm, but a (far too) simple example of the general idea might be to use the letter correspondences to numbers on a phone dial, so that “google” becomes “466453.” It’s not too hard to extend this scheme to letters and punctuation.
I’ll have to check out Richard Chappel’s method, though. It sounds a little more secure.
I’m concerned by online password managers, but I’d recommend offline password managers such as PasswordSafe (http://www.schneier.com/passsafe.html); in essence, a password manager is a locked safe which contains all your passwords (which it randomly generates and you need not remember) and you only need to remembers one password to access it.
You will be interested in this site http://www.cl.cam.ac.uk/~rja14/
Ross also has his book on Security Engineering (2nd Ed) free at
http://www.cl.cam.ac.uk/~rja14/book.html
(I wish the cl.cam habit of publishing their work free would spread.)
Comments are closed.